Generally, the present application relates to data processing. More specifically, the application is related to managing session activity of single sign-on (SSO) access for enterprise software spanning multiple data centers.
Enterprise computer networks are often spread over different computing data centers (DC). Each data center may be implemented by one or more server computers. The data centers can be geographically located together or dispersed. One or more server computers of a data center can implement an access management system to manage access for the data center. For scalability and high availability, multiple server computers can be deployed as a cluster in a data center. Multiple clusters across different data centers that are geographically disperse can be communicatively connected together to constitute a multi-data center (MDC) system. An MDC system addresses the high availability, load distribution and disaster recovery requirements of access servers.
An MDC system can operate as a single logical access server and can provide SSO functionality for all of the applications registered in the MDC system. Using a SSO session, a user can log into one data center and then access other data centers without logging in again for the same SSO session. For example, SSO allows a user to enter a username/password once by in order to gain access to multiple associated resources accessible from other data centers. Different data centers may manage access to different resources. As such, SSO can allow a user having access to one data center to access multiple resources from other data centers based on the SSO for the user.
A data center establishes user a SSO session for each user. A user request for one or more resources may hop across data centers within a single SSO session, requiring all the visited data centers to generate a session for the user. In an MDC system, an agent deployed on a client system may handle access requests to a server of a data center in an MDC system providing access to a resource. Each data center in an MDC system may manage access to different resources. As such, a request to access a particular resource may be directed to a data center controlling access to that resource. Based on the agent's primary access configuration for the client system and the geographic affinity of the client system to the data centers in an MDC system, authentication for a user for SSO prior to accessing a resource may be handled by one data center that is different from another data center that controls access to the resource. If authentication is granted, the authorization to access the resource may be directed to a different data centers responsible for access to the resource.
However, when authentication of a user for SSO and authorization to access a resource spans multiple data centers in an MDC system, multiple sessions will be created for the user, one for the data center that handles authentication and another for the data center that handles the authorization. In this scenario, the session activity for the user's SSO session is split between two data centers, one for authentication and one for authorization. When a SSO session is defined by a session time period, the data center that handled the authentication may detect that the session inactivity time period has been met when the user was active for a SSO session on a different data center, e.g., the data center that handles authorization for a resource. One data center that handles authentication may not be aware of the session activity of a user on a different data center that manages a session for access to a resource because a separate session is created at each data center that handles activity for a user including authentication and access to a resource. As such, the SSO session for a user at one data center may expire even though the same user was active for a session on a different data center. As a result, a user is burdened by having to provide credentials for a SSO session at a data center for re-authentication of the user in an MDC system.
New techniques are desired for managing session activity for SSO access across an MDC system. Further desired are techniques for enabling data centers to determine whether a user was active for a SSO session at other data centers.